Terraform Azure Devops Create fw rules

0
votes

Racking my head with a combo of terraform + azure devops process and figuring what is the best strategy to go about this,

I have 3 stages, to build and deploy some terraform code

  • Stage 1 build : the individual services, e.g. sql server, database, app service terraform plan artifact folder path: terraform\phase1\main.tf .... etc
  • Stage2 deploy: artifact from stage1 terraform apply
  • Stage3 build & deploy pipes: Grab the outbound ip addresses from the deployed azure app service via the tfstate back-end using data "azurerm_app_service" "this" and add these to the sql server firewall allowed ip's folder path:terraform\phase2\main.tf .... etc.

My issue comes through at Stage3 when I look at the phase2 folder which only defined the data outputs and resource creation for fw rules, though we are looking at the same backend state file, terraform plan cannot see any of the resources created in stage2 in the folder and therefore plans to destroy it.

In Phase2 folder my code looks something like this

data "azurerm_app_service" "tf_dr_awa_core-app" {
  name                = "dr-core-app"
  resource_group_name = "dr-app"
}

resource "azurerm_sql_firewall_rule" "tf_dr_sql_server_firewall" {
  count               = length(split(",", data.azurerm_app_service.tf_dr_awa_core-app.possible_outbound_ip_addresses))
  .....
}

Has anyone come across anything similar where you have to build the core parts of the infrastructure first, once they have metadata in the state file then grab that data and build pipes between the core pieces, in this case the sql server and the app service?

1
azure-devopsterraformterraform-provider-azure
Do you check if the fw rules already created through the stages in the SQL sever?Charles Xu
Ammm when terraform started doing the build on stage3 it actually said it was going to destroy by stage2 apply and add the fw rules only but I just want it to add the fw rules and leave everything else alone from Stage1 and 2Sl-NZ
I'm confused that why stage 2 will destroy them? Is it the common action the stage do? Or how do you set them? Can you share the YAML file?Charles Xu
Below is my folder layout for Terraform ` └───tf-dr ├───phase1 │ │ main.tf │ │ provider.tf │ │ variables.tf │ └───phase2 │ main.tf │ provider.tf │ variables.tf ` Pipeline Process - Stage1 Builds Phase1 - Stage2 waits for apply in Stage1 to complete and builds Phase2 targeted to a - resource and same state file as Stage1 just to extract the IP's for the app service - Stage3 grabs the build from Stage2 and applys itSl-NZ
Edit the YAML message in the question, not in the comment. It's more clear for communities.Charles Xu

1 Answers

0
votes

For now I have answered my question for Stage3 I am only targeting a specific resource therefore it does not care about all the other missing items in phase2 folder that was intially created in Stage2 from Phase1 folder

Folder Layout:

─tf-dr
    ├───phase1
    │      main.tf
    │      provider.tf
    │      variables.tf
    └───phase2
           main.tf
           provider.tf
           variables.tf

Pipeline Layout

  • Stage1 Builds Phase1
  • Stage2 waits for apply in Stage1 to complete and builds Phase2 targeted to a resource and same state file as Stage1 just to extract the IP's for the app service
  • Stage3 grabs the build from Stage2 and applys it